quality assessment review readiness - iia global - theiia documents/quality assessment... · dallas...

Copyright 2005, The IIA Research Foundation

QUALITY ASSESSMENT REVIEW READINESS AN ANALYTICAL STUDY OF THE LEVEL OF READINESS FOR A QUALITY ASSESSMENT REVIEW OF THE INTERNAL

AUDIT FUNCTION AT ORGANIZATIONS OF VARIOUS SIZES AND OPERATING IN A VARIETY OF INDUSTRIES

Dallas Chapter of the Institute of Internal Auditors

Authors

Thomas Keils, CPA, Committee Chair Paula Whatley, CPA, Committee Co-Chair

Research Project Committee:

Alpa Parikh, ACCA Michael Mask Idris Buhidma Daniel Heyl

April 2005 (Survey Results: 2004 2005)

Quality Assessment Review Readiness

Dallas Chapter of The Institute of Internal Auditors 1

TABLE OF CONTENTS

I. Objective and Methodology........................................................................................... 2

II. Definition of Quality Assessment Review .................................................................... 3 i. Requirements and Timing ......................................................................................... 3 ii. The QAR Process...................................................................................................... 4

III. Survey ........................................................................................................................... 6 i. Survey Demographics ............................................................................................... 6 ii. Survey Results .......................................................................................................... 7

IV. Conclusion .................................................................................................................. 16

V. Works Cited................................................................................................................. 18

VI. Acknowledgement ..................................................................................................... 19



I. OBJECTIVE AND METHODOLOGY

The objective of this project is to provide benchmarking data to our chapter members by obtaining relevant, timely information related to the level of readiness for a Quality Assessment Review (QAR) of the internal audit function at organizations of various sizes and operating in a variety of industries. In keeping with the Progress Through Sharing motto, the intent of this paper is to provide our chapter members with valuable information to help them move toward their QAR with ease.

This paper is based on information gathered through the survey process as well as current literature on the subject of QAR. Our survey questions were focused in several areas:

Background Information size of entity and audit department

Purpose, Authority and Responsibility audit committee involvement, policies and tone-at-the-top

Independence and Objectivity consideration of independence and reporting of errors or omissions

Proficiency and Due Professional Care Code of Ethics and CPE

Quality Assessment Program timing and extent of prior and planned QARs

Management of the Internal Audit Activity identifying risk

Engagement Planning and Performance planning, documentation and SOPs (Standard Operating Procedures)

Communicating Results departmental reporting standards



II. DEFINITION OF QUALITY ASSESSMENT REVIEW

i. REQUIREMENTS AND TIMING

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. (The IIA Board of Directors Guidance Task Force) In today s environment the need for a quality, independent internal audit function is more critical than ever before. In addition, there is greater pressure from management for the internal audit function to provide value to the entity. The QAR process allows an internal audit function to measure itself against organization policies, stakeholder expectations, and industry best practices.

Quality Assurance Review is a fact of life for internal audit departments. The question is not if it is coming, but Will your internal audit department be ready when it arrives?

The IIA has been performing Quality Assessment Reviews since the 1980s. Originally The IIA was involved because some large members asked us to organize a peer review process that was somewhat limited. We did 10 to 20 of them a year for the Boeings, the IBMs, the Fords. Then on Jan.1, 2002, new quality assurance standards were introduced. (Stanek)

The IIA s Standards for the Professional Practice of Internal Auditing (Standards) require that internal auditing functions should have both internal and external quality assessments. This is a fundamental change in our profession until now, external quality assessment reviews were suggested in IIA guidelines but were not mandatory. Many internal auditing departments chose not to have external quality assessment reviews at all or did not have reviews on a regular basis, but effective January 1, 2002, external quality assessment reviews will be required at least once every five years. (Mandatory QAR Standards: Is Your Organization Ready?) These reviews are considered mandatory for more than 73,000 internal auditors because all Certified Internal Auditors and IIA members agree to abide by the IIA s Code of Ethics. The Code of Ethics requires that internal auditors perform their services in accordance with the Standards. In addition, many internal audit charters require that audit services be performed in accordance with the Standards. The need for quality assurance reviews is also recognized in other standards used by internal auditors, including government auditing standards and standards



developed for certified public accountants and chartered accountants in many countries. (Mandatory QAR Standards: Is Your Organization Ready?)

ii. THE QAR PROCESS

While the QAR process should include both internal and external assessments, the two serve different purposes. The internal assessments should provide for both ongoing and periodic reviews of the activities of the internal audit function by those familiar with the entity. External assessments should provide a thorough diagnostic review of the internal audit function. A typical assessment, whether internal or external, would follow the methodology outlined below:

Plan

Understand IA Objectives

Review IA Process

Deliver Findings

Look Ahead



In addition, the QAR team evaluates issues and ideas affecting the internal auditing department, including:

Partnering with management

Adding value by providing efficiency and effectiveness ideas to management

Integrating concepts of the business controls framework into the IA practice

Maximizing staff performance

Communicating effectively to staff and organization personnel

Developing staff, both personally and professionally

Using technology to increase efficiency and effectiveness

Establishing quality assurance programs (Internal Audit Quality Assurance review Methodology)



Response by Industry

Other8%

Gov't & Non-Profit10%

Financial Services

39%

Manufacturing10%

Energy10%

Retail15%

Telecom & Tech8%

Response by Country

USA92%

Canada8%

Response by Title

President3%

Vice President33%

Assistant Vice President

8%

Audit Director38%

General Auditor10%

Audit Manager8%

III. SURVEY

i. SURVEY DEMOGRAPHICS

In order to facilitate our survey we distributed thirty multiple-choice questions to members of the Dallas Chapter of the Institute of Internal Auditors via The Self-Assessor a web-based tool that supports self-assessments. We received 21 responses to the 231 assessments deployed in this manner, a 9% response rate. To further broaden our data pool we distributed 160 hard copies of the same thirty questions at the IIA s General Audit Management Conference (GAM). We received 39 responses to the 160 surveys handed out at GAM, a 24% response rate. In total we obtained a 15% response rate.

The following charts provide further demographic information on the responses received:



The survey questions were organized into eight categories. Each of these categories, with the exception of Background Information, was intended to represent an area of the Standards that should be followed by all internal audit departments and would therefore fall under scrutiny during the QAR process. Survey questions were determined based upon their applicability to all or the majority of internal audit functions and the probability that the answer to the question would lend insight into the internal audit functions readiness for a QAR in the near future.

ii. SURVEY RESULTS

In each area additional details are provided for questions where the answers provide insight useful in drawing conclusions. Please refer to the next few pages for detailed results.



Survey Results: Background Information 22%

0 - $ 500 million 15%

$ 500 million to $1 billion 37%

$1 billion to $5 billion 22%

$5 billion to $10 billion

What was the gross revenue of your company for the year ended December 31, 2004?

5%

Over $10 billion

52%

1 - 10 22%

11 - 20 10%

20 - 50

How many full time personnel are in your internal audit department?

17%

50 plus

10%

Less than one year ago 28%

1-5 years ago 7%

5-10 years ago

When was your internal audit department formed?

56%

10 plus years ago

63%

0% - Fully handled in house 27%

1% - 25% 3%

26% - 50% 3%

51% - 75%

What percentage of your organization's internal audit hours are outsourced?

3%

76% - 100%

63%

0% - 25% 27%

26% - 50% 7%

51% - 75%

What percentage of your organizations internal audit hours are related to information technology auditing?

3%

76% - 100%

Gross Revenue Of Respondents

05

10152025

$ 0 - $500

million

$ 500million to$1 billion

$1 billionto $5billion

$5 billionto $10billion

Over $10billion

Gross Revenue

Nu

mb

er o

f R

esp

on

den

ts



Survey Results: Purpose, Authority, and Responsibility 97%

Yes

Do you have an audit committee charter or similar document relating to the Boards oversight of the internal audit activity or other monitoring functions?

3%

No

92%

Yes

Is your charter current and relevant in view of any significant changes in the organization and/or the Institute of Internal Auditor Standards?

8%

No

8%

Monthly 85%

Quarterly

How often does the Chief Auditing Executive meet with the audit committee? 7%

Annually

98%

Yes

Does the company have policies and procedures in place to allow your Internal Audit department to access records and information throughout the organization without restriction?

2%

No

82%

The need and usefulness of IA is recognized

12%

IA is supported, but only via specific request

How would you rate the tone-at-the-top, in regards to management's attitude toward the internal audit function, in your organization?

7%

IA is provided assistance only when convenient

Organizations w ith an Audit Committee Charter

With97%

Without3%



Survey Results: Independence and Objectivity 52%

Yes

Is there a formal process for considering objectivity and independence prior to assigning internal audit staff to an engagement?

48%

No

2%

Only members of the internal audit staff

96%

To all parties issued the initial final report

If errors or omissions are identified in a final communication subsequent to issuance of that document what parties in your organization will receive a copy of the addendum report? 2%

There will be no addendum report



Survey Results: Proficiency and Due Professional Care 33%

Integral part of IA staff training/evaluation

27%

All IA staff are familiar with the Code

27%

Only a select few are familiar with the Code

How aware are you internal audit staff of The Professional Practices Framework Code of Ethics?

13%

The Code is not an integral part of IA function

43%

Mandatory CPE requirements for all IA staff

35%

Requirements for IA staff with certifications

Do you have CPE requirements for your internal audit staff?

22%

No formal CPE requirements for any IA staff

73%

Always 22%

More often than not 3%

Sometimes

When assigning internal audit staff to engagements is their knowledge, skills and experience taken into consideration? 2%

Never

Skills Taken Into Account When Assigning Engagements

22%

2%3%

73%

Always

More Often ThanNotSometimes

Never



Survey Results: Quality Assessment Program 2%

More than 10 years ago 8%

More than 5, less than 10 years ago

23%

In the last 5 years

When did your organization's internal audit department last have an external quality assessment review performed?

67%

N/A

21%

The Institute of Internal Auditors

5%

Your external auditor at the time

26%

Big 4 accounting firm, not your external auditor

If your organization's internal audit department has had a quality assessment review who performed it?

47%

Another third party

56%

Yes, by January of 2007 3%

Yes, after January of 2007 7%

I do not know

Does your company's internal audit department plan to have a quality assessment review in the next year?

34%

No

29%

The Institute of Internal Auditors

9%

Your external auditor at the time

15%

Big 4 accounting firm, not your external auditor

6%

Other accounting firm, not your external auditor

If your organization's internal audit department does plan to have a quality assessment review in the next year, who has been or likely will be selected to perform that review?

41%

Another third party

44%

Yes

Does your organization perform ongoing reviews of the performance of the internal audit function through self-assessment or by other persons within the organization, independent of the internal audit function?

56%

No

53%

Full scope assessment

When your organization has its next quality assessment review do you anticipate using:

47%

Self-assessment with independent validation

Plan for QAR in Next Year

56%

3%7%

34%

Yes, after January2007

Yes, after January2007

I do not know

No



Survey Results: Management of the Internal Audit Activity 10%

Excellent 52%

Good 35%

Fair

How would you rate your process to identify, measure and manage enterprise risk?

3%

Poor

38%

Always 43%


Sometimes

During the planning process does the company consider the risk framework, strategic business plan and technology plan? 2%

Never

Monitoring Enterprise Risk

Excellent10%

Good52%

Fair35%

Poor3%



Survey Results: Engagement Planning and Performance 60%

Always 30%

More often than not

Internal audit considers the probability of significant errors, irregularities, noncompliance and other exposures when developing the engagement objectives?

10%

Sometimes

58%

Always 22%


Sometimes

My organization's internal audit department utilized formal audit work programs?

3%

Never

68%

Always 25%

More often than not

Internal audit engagements are properly supervised to ensure objectives are achieved, quality is assured and staff is developed?

7%

Sometimes

15%

Optimal 59%

Sufficient 17%

Insufficient

How would you rate the completeness and usefulness of your Standard Operating Procedures?

8%

Non-existent

77%

Always

The internal audit function follows the organization's policies and procedures related to record retention?

23%

More often than not

05

10152025303540

Number of Responses

Always Sometimes

Frequency of Supervision

Supervision on Engagements



Survey Results: Communicating Results 70%

Yes and follows the IIA Framework

22%

Yes, but it does not follow the IIA Framework

2%

Not formal, but follows the IIA Framework

Is there are formal process to communicate internal audit results to management and the audit committee?

7%

No formal process or guidelines

40%

Yes

Is there a formal process for communication of noncompliance with the International Standards for the Professional Practice of Internal Auditing or the Code of Ethics to senior management and the board?

60%

No

QAR Based on Gross Revenue

05

10152025

$ 0 - $500

million

$ 500millionto $1billion

$1billionto $5billion

$5billionto $10billion

Over$10

billion

Gross Revenue

Nu

mb

er o

f R

esp

on

den

ts

Respondents

QAR



IV. CONCLUSION

An overwhelming majority of those responding to this survey appear to have active audit committees with current and relevant charters. There was also general agreement that the management of their organizations provided an appropriate tone-at-the-top. This is encouraging, as these corporate attitudes will help promote an effective internal audit function.

It appears that a large number of organizations do not ensure that all internal audit staff are familiar with the Code of Ethics. However, well over half indicated that internal audit engagements are always properly supervised to ensure quality, always utilized formal audit work programs and considered the probability of significant errors during the planning process.

In June and July of 2003 the results of an IIA quick poll indicated that 61% of respondents had not undergone a QAR in the past five years and did not have any immediate plans for a QAR. Responses to this survey indicate that while 56% do not perform ongoing self-assessment, 23% of the responders to our survey have undergone a QAR in the last five years and 56% plan to have a QAR prior to the January 2007 deadline. This shift in attitude indicates that more focus is being placed on quality than in the recent past. However, in today s environment internal audit shops and professionals see the benefits of having a QA and know that peer review helps legitimize us as a profession. (Stanek)

Although the IIA does not have regulatory authority to impose sanctions on internal auditors that do not comply with the QAR requirements, the number of QARs performed is expected to rise rapidly over the next few years. For those organizations that have never undergone a QAR it might seem to be a daunting process. There are several things that these organizations can do to prepare and ensure that the process is as painless as possible:

Get familiar with both the Standards and the Code of Ethics

Determine if there is room for immediate improvements within your organization

Review information related to QAR from the IIA. This information included the Quality Assurance Review Manual and Practice Advisories

Network with other internal auditors to gain insight into what other departments are doing related to QAR

Consider obtaining training by attending an IIA seminar on QAR



While preparing for a QAR can be time-consuming and costly the benefits far out weigh the costs. The QAR should provide assurance to stockholders and other third parties, improve efficiency thereby lowering audit cost, and benchmark practices against industry standards. In addition to the benefits derived from the QAR, the process of preparing for the review should provide the department with a clearer understanding of their mission and how to perform it effectively and efficiently.



V. WORKS CITED

"Internal Audit Quality Assurance review Methodology." KnowledgeLeader provided by Protiviti. 13 Nov. 2000. KnowledgeLeader. 24 Feb. 2005 <http://www.knowledgeleader.com/InternalAudit/website.nsf/print/MethodologiesModelsInternalAudit>.

"Mandatory QAR Standards: Is Your Organization Ready?." The Institute of Internal Auditors. 24 Feb. 2005 <http://www.theiia.org/index.cfm?act=content.print&doc_id=2212>.

Stanek, Steve. "Internal Audit and Quality Assessment - Advice on Meeting the New Standard." KnowledgeLeader provided by Protiviti. 09 Aug. 2004. KnowledgeLeader. 25 Feb. 2005 <http://www. knowledgeleader.com/InternalAudit/website.nsf/print/HotIssuesIAQualityAssessment>.

The IIA Board of Directors' Guidance Task Force. The Professional Practices Framework. Altamonte Springs: The Institute of Internal Auditors, 2004.

http://www.knowledgeleader.com/InternalAudit/website.nsf/print/MethodologiesModelsInternalAudit>

http://www.theiia.org/index.cfm?act=content.print&doc_id=2212>



VI. ACKNOWLEDGEMENT

We would like to express our appreciation to Protiviti for all the support, both monetarily and in personnel time, that was dedicated to this effort.

quality assessment review readiness - iia global - theiia documents/quality assessment... · dallas...

Documents